ECSH33701 - Records testing: introduction

Throughout your compliance check you will need to view records to confirm the business’s compliance with the relevant requirements of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), and that its policies, controls and procedures are appropriate to the risk of money laundering, terrorist and proliferation financing (ML/TF/PF).

For example, you will need to confirm the business is keeping records of customer due diligence (CDD) checks and sufficient supporting records to enable the transaction to be reconstructed. You will also need to review records to demonstrate compliance with:

  • Risk assessment and management.
  • Policies, controls and procedures (PCPs).
  • The monitoring and management of compliance with, and the internal communication of, its PCPs.
  • Training of relevant staff.
  • Suspicious activity reporting.

The records you examine, and the analysis you carry out on them, will depend on the type of intervention and will:

  • Support and quantify the impact of any breaches you identify.
  • Help you to decide an appropriate outcome.
  • Provide evidence when imposing a sanction.

You can find more guidance to help you select transactions to test compliance within the links at the bottom of this page,

You may find it useful to provide the business with a link to guidance on GOV.UK relating to How HMRC checks on businesses registered for money laundering supervision.


What to ask for

The records you can expect to see will depend on the size and nature of the business activities and the supervised sector(s). You must plan what records you need to examine, the reason they are required, and when you need to see them.

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)



Depending on the type of intervention you are working, you may have already obtained some records from the business prior to a meeting. For example, you will usually have reviewed the business’s risk assessment and PCP documents to understand the types of records the business maintains and may have received customer or transactional data and completed some analysis on it (this might not be appropriate for all cases, for example if carrying out an unannounced visit, you will need to establish and confirm the records held during the visit).

It is best practice to walkthrough a transaction from beginning to end, to understand the records raised, issued, and received throughout a transaction and understand the systems used. This will allow you to identify other records you want to test.

For more guidance on this, see confirming customer due diligence measures are appropriate. Consider highlighting records you will need throughout the interview, as they are brought up. For example, if the business says it keeps a manual cash book, you will want to see that as part of your testing.

You will need to ask the business to describe its CDD measures to understand what checks are performed, so that you can select appropriate records to test. For example, you establish that a business carries out checks on source of funds for transactions above a financial threshold of £20,000. It determined this threshold by reviewing its average transaction value, and the threshold captures the top 10% of transactions, which are considered higher risk. From this, you decide that you will select some transactions above £20,000 and ask to see information regarding source of funds checks carried out. If the business doesn’t have this information, you will need to establish why, using the guidance for Specific breaches of customer due diligence to help you.

You might not know all the records you need to test until you have spoken to all the appropriate people in the business. If you find further risks as your check progresses, you must consider what other records you need to see so that you can address those risks and adapt your plan accordingly. Areas of greatest risk, weakness, or non-compliance should be the focus.

 

Types of records

Business records that can be used to test compliance can include:

  • transaction records
  • customer files
  • internal compliance management reports
  • internal or external system reviews or audits
  • daily records of transactions
  • invoices
  • till receipts
  • cheques
  • paying-in books
  • customer correspondence and emails
  • export documentation (such as customs declarations and bills of lading)
  • specific customer activity reports
  • reports from a computer accounts system (such as a cash report)
  • regime specific documents (for example, for high value dealers (HVD) who are Excise traders, checks on Alcohol Warehouse Registration Scheme (AWRS) or Ware housekeepers and Owners of Warehoused Goods Regulations (WOWGR)).

Not all of these will be applicable to all sectors and business models, so you need to understand what records will be applicable to the compliance check and know your reason for asking for particular records. Read the sector specific guidance for more information on what you can expect to see.

 

How should records testing be conducted?

You should have already established where the records are held, to determine where to conduct the meeting.

When you are conducting a face-to-face visit, you must plan and manage your time effectively. You should prioritise viewing transaction processes and systems, and testing CDD records during the meeting, as it is more difficult to replicate the CDD process away from a business premises.

When you are conducting desk-based checks and need to carry out CDD records testing, you will have to obtain the documents securely - use the guidance for testing Electronic documents and records.

 

Redacted documents

During the records testing, a business may ask if you can accept redacted documents to protect their customers’ personal data.

You should consider:

  • which documents you are requesting to see
  • the reason you are requesting to see these documents
  • why the business wants to provide redacted documents
  • what information the business intends to redact
  • if you will be able to carry out your records testing effectively, to recreate transactions and establish the purpose and intended nature of the transaction or business relationship if documents have been redacted.

Case study 1

An accountancy service provider (ASP) has stated that they do not agree to providing full copies of documents by email or Dropbox and is only prepared to send redacted copies to you. In this case, you should consider what information would be redacted if you accepted copies by email or Dropbox. To overcome this, you may decide to visit the ASP to view documents at the business premises.

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)


Case study 2

During a visit, an art market participant (AMP) asks if redacted documents can be provided to you to protect their customers’ personal data. As part of the AMP’s customer due diligence (CDD) process, the AMP completes a customer onboarding form which includes details of the bank account the customer will use to purchase the artwork. Part of your checks will be to confirm whether payment was made from the customers' account, by locating the payment in the AMP’s bank statements. If the bank account information was redacted from the customer onboarding form, you cannot confirm the procedure is working in practice. You should explain that you need to see the unredacted copies to complete your compliance check.


What to do if you encounter resistance to viewing records

Confidentiality is important to businesses, therefore some resistance to allowing you to view customer records may be met. If you encounter this, refer to guidance on “what to do if a business is reluctant to provide information due to General Data Protection Regulation (GDPR) concerns”.

You may need to use a notice under regulation 66 MLR 2017 in order for the business to produce the documents you need.